Forum Discussion

Nagesh_Nanju_12's avatar
Nagesh_Nanju_12
Icon for Nimbostratus rankNimbostratus
Sep 28, 2013

Access Policy on BIGIP 2000S LTM

Hi We have recently purchased 2 BIGIP 2000S LTM boxes, we are intend to load balance our web servers (2 of them) with this.

 

We have updated the software to 11.2.1 and configured both the LTMs in HA mode (Active /Standby).

 

We have connected External interface to our DMZ network which is connected to a firewall and the Internal interface to a L2 switch where we have also connected the web servers.

 

We have configured http & https services on the LTMs to allow inbound traffic to the web servers.

 

Traffic flow : Internet-->Firewall-->DMZ Network-->F5-BIGIP LTM-->Web Servers | Internal LAN --> Database Server

 

Now the challenge is we need to allow the following services to and from the Web servers.

 

a) RDP from our internal LAN (not the LTM internal LAN) through our firewall b) Database connectivity to the web servers (Database is hosted in our internal LAN) c)Some specific website access to the web servers through the firewall

 

Since the servers does not have any other connectivity but the connectivity to the BIGIP LTM, and I couldn't find any option on the LTM to configure outbound access to these webservers.

 

I'm clueless on how to get this resolved. Kindly help in this regard.

 

Thanks n regards /\/agesh

 

6 Replies

  • Here are a few considerations:

     

    1. Are the web servers dual-homed (one leg connected to a switch connected to the LTM, and the other leg in the internal LAN? If so, does the LTM have a route to this internal LAN? Without a route it'll be difficult to get traffic to/from these servers.

       

    2. In order for the web servers to get outbound access, you can set up a forwarding VIP (0.0.0.0/0 type forwarding IP) on the LTM's internal interface, and establish a default outbound route.

       

    http://support.f5.com/kb/en-us/solutions/public/7000/500/sol7595.html?sr=32193157

     

    1. If the LTM can route to the internal LAN, and you want external access to services in this LAN, you could either set up virtual server instances or simply create NATs on the LTM.
  • Hi Kevin Thanks for the response.

     

    Please find my response as below. 1. Web servers are not dual-homed and they are only connected to the internal interface of LTM (through a L2 switch)

     

    We have our current set up on Radware Alteon and its working fine without much fuss. The servers are just sitting behind the LTMs and we are able to reach the servers from our internal segment through the firewall with defined policies.

     

    Please help, if we can do the same with F5 LTM.

     

    Thanks n regards /\/agesh

     

  • Getting a somewhat clearer picture.

     

    OUTBOUND: If you want to be able to talk to the outside world through the LTM, the LTM must be able to forward/route the traffic outbound. This requires a forwarding VIP and default outbound route on the LTM, and for the servers to send requests in the LTM's direction.

     

    INBOUND: If you want to be able to route traffic through the LTM from the outside (or another network/VLAN) to servers on the inside, you either need a NAT (1-1 IP mapping) or a virtual server (wildcard or specific).

     

    The LTM is a default deny device, so you have to specific about what services you want to be able to pass, and from which direction.